---
title: Configuring SAML SSO with Azure AD
updatedAt: 2023-08-17
summary: For Dub Enterprise users, you can securely manage your team's access to Dub using Azure AD SAML SSO.
author: steventey
categories:
  - saml-sso
related:
  - azure-scim
  - okta-saml
  - google-saml
excludeHeadingsFromSearch: true
---

<Note variant="success">
  This feature is only available on [Dub Enterprise](/pricing).
</Note>

For Dub Enterprise users, you can securely manage your team's access to Dub using [Azure AD SAML SSO](https://learn.microsoft.com/en-us/azure/active-directory/architecture/auth-saml).

## Step 1: Create or Select SAML Application

In your [Azure Admin console](https://portal.azure.com/), select **Azure Active Directory** (or search for it in the search bar).

<Image
  alt="Azure Active Directory option on the Azure Dashboard"
  src="https://d2vwwcvoksz7ty.cloudfront.net/help/azure-ad.png"
  width={2498}
  height={1108}
  hideCaption={true}
/>

Then, click on **Enterprise applications** from the left sidebar.

<Image
  alt="Enterprise applications option on the Azure Dashboard"
  src="https://d2vwwcvoksz7ty.cloudfront.net/help/azure-ent-apps.png"
  width={2488}
  height={1412}
  hideCaption={true}
/>

If you already have an existing Azure AD SAML application, select it from the list and move on to [Step 2](#step-2-configure-saml-applicaation).

If not, click on **New application** at the top.

<Image
  alt="Create new application button on the Azure Dashboard"
  src="https://d2vwwcvoksz7ty.cloudfront.net/help/azure-new-app.png"
  width={2490}
  height={1304}
  hideCaption={true}
/>

In the next screen, click on **Create your own application**. Give your application a **Name** (e.g. "Dub") and click **Create**.

<Image
  alt="Create your own application option on the Azure Dashboard"
  src="https://d2vwwcvoksz7ty.cloudfront.net/help/azure-create-own.png"
  width={2782}
  height={1636}
  hideCaption={true}
/>

## Step 2: Configure SAML Application

Under the **Manage** section in the left sidebar, select **Single sign-on**. Then, click on **SAML**.

<Image
  alt="SAML option on the Azure Dashboard"
  src="https://d2vwwcvoksz7ty.cloudfront.net/help/azure-saml.png"
  width={2782}
  height={1474}
  hideCaption={true}
/>

Under the **Basic SAML Configuration** section, click on **Edit**.

<Image
  alt="Edit button on the SAML Settings page on the Azure Dashboard"
  src="https://d2vwwcvoksz7ty.cloudfront.net/help/azure-saml-edit.png"
  width={2478}
  height={1382}
  hideCaption={true}
/>

This will open up a sheet overlay. Under **Basic SAML Configuration**, enter the following values:

<CopyBox title="Identifier (Entity ID)" copy="https://saml.dub.co" />

<CopyBox
  title="Reply URL (Assertion Consumer Service URL)"
  copy="https://api.dub.co/auth/saml/callback"
/>

<Image
  alt="Basic SAML Configuration section on the Azure Dashboard"
  src="https://d2vwwcvoksz7ty.cloudfront.net/help/azure-basic-saml.png"
  width={3024}
  height={1720}
  hideCaption={true}
/>

Click **Save** in the menu bar to save your changes.

<Image
  alt="Basic SAML Configuration section on the Azure Dashboard"
  src="https://d2vwwcvoksz7ty.cloudfront.net/help/azure-save-saml.png"
  width={1788}
  height={1062}
  hideCaption={true}
/>

## Step 3: Attribute Mapping

Click **Edit** on the **Attributes & Claims** section.

<Image
  alt="Attributes & Claims section on the Azure Dashboard"
  src="https://d2vwwcvoksz7ty.cloudfront.net/help/azure-attributes.png"
  width={2478}
  height={1580}
  hideCaption={true}
/>

Under **Additional claims**, make sure the following entries are present:

| Name                                                               | Value                  |
| ------------------------------------------------------------------ | ---------------------- |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | user.mail              |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname    | user.givenname         |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name         | user.userprincipalname |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname      | user.surname           |

<Image
  alt="Additional claims section on the Azure Dashboard"
  src="https://d2vwwcvoksz7ty.cloudfront.net/help/azure-attributes-claims.png"
  width={1772}
  height={1004}
  hideCaption={true}
/>

Once that's done, click on the `X` button in the top right corner to go back to the main settings page (or click the back button in your browser).

## Step 4: Copy the Metadata URL

Scroll down to the 3rd section on the page, **SAML Certificates**. Copy the **App Federation Metadata Url** value and return to the Dub dashboard.

<Image
  alt="Metadata URL on the Azure Dashboard"
  src="https://d2vwwcvoksz7ty.cloudfront.net/help/azure-metadata-url.png"
  width={2516}
  height={1408}
  hideCaption={true}
/>

## Step 5: Configure SAML SSO on Dub

In your project dashboard on Dub, click on the **Settings** tab in the menu bar at the top. Then, click on the **Security** tab in the sidebar.

<Image
  alt="SAML SSO section on the Dub Dashboard"
  src="https://d2vwwcvoksz7ty.cloudfront.net/help/saml-sso-section.png"
  width={2480}
  height={1486}
  hideCaption={true}
/>

Under the **SAML Single Sign-On** section, click on **Configure**. This will open up the SAML SSO modal:

1. Select **Azure AD** as the SAML provider.
2. Enter the **App Federation Metadata Url** value that you copied from Step 4.
3. Click **Save changes**.

<Image
  alt="SAML SSO Modal"
  src="https://d2vwwcvoksz7ty.cloudfront.net/help/azure-saml-modal.png"
  width={2022}
  height={1372}
  hideCaption={true}
/>

## Step 6: Assign Users

<Note variant="warning">
  We highly recommend configuring [SCIM Directory Sync](azure-scim) before
  assigning users & groups to your project. This will ensure that your users are
  automatically added to your project when they sign in for the first time, as
  well as automatically removed when they are deactivated in Azure.
</Note>

Once you've configured SAML SSO, you can start assigning users & groups to your project.

From your application, click the **Users and groups** from the left navigation menu and click **Add user/group**.

<Image
  alt="Adding users in Azure AD"
  src="https://d2vwwcvoksz7ty.cloudfront.net/help/azure-scim-add-users.png"
  width={2918}
  height={1570}
  hideCaption={true}
/>

Click on **None Selected** under **Users**.

From the right side of the screen, select the users you want to assign to the app and click the **Select** button. Thenm click **Assign** to those users to your app.

<Image
  alt="Assigning users in Azure AD"
  src="https://d2vwwcvoksz7ty.cloudfront.net/help/azure-scim-assign-user.png"
  width={1564}
  height={1356}
  hideCaption={true}
/>

Your assigned users should now receive an invitation email to join your Dub project.

<Image
  alt="SAML invite email"
  src="https://d2vwwcvoksz7ty.cloudfront.net/help/saml-invite.png"
  width={2918}
  height={1578}
  hideCaption={true}
/>

<Note variant="warning">
  Azure AD SCIM provisioning can take [anywhere between 20-40 minutes to
  sync](https://learn.microsoft.com/en-us/azure/databricks/administration-guide/users-groups/scim/aad#provisioning-tips).
  This means that it may take up to 40 minutes for your users to receive the
  invitation email and be able to join your Dub project.
</Note>

They will also be able to sign in to Dub using Azure AD SSO.
